1. Field of the Invention
The present invention relates to protection from attacks and fraud in a communication network with application proxies that are subscriber aware, such as service gateways that regulate application activity; and, in particular, to discerning a user identifier other than network address of a user initiating an attack or fraud in order to end the intrusion, such as a scanning attack that initiates packet flows to a large number of destinations in a short time.
2. Description of the Related Art
Networks of general-purpose computer systems and other devices connected by external communication links are well known. The networks often include one or more network devices that facilitate the passage of information between the computer systems. A network node is a network device or computer system connected by the communication links. As used herein, an end node is a network node that is configured to originate or terminate communications over the network. In contrast, an intermediate network node facilitates the passage of data between end nodes.
Information is exchanged between network nodes according to one or more of many well known, new or still developing protocols. In this context, a protocol consists of a set of rules defining how the nodes interact with each other based on information sent over the communication links. The protocols are effective at different layers of operation within each node, from generating and receiving physical signals of various types, to selecting a link for transferring those signals, to the format of information indicated by those signals, to identifying which software application executing on a computer system sends or receives the information. The conceptually different layers of protocols for exchanging information over a network are described in the Open Systems Interconnection (OSI) Reference Model. The OSI Reference Model is generally described in more detail in Section 1.1 of the reference book entitled Interconnections Second Edition, by Radia Perlman, published September 1999, which is hereby incorporated by reference as though fully set forth herein.
Communications between nodes are typically effected by exchanging discrete packets of data. Each packet typically comprises 1] header information associated with a particular protocol, and 2] payload information that follows the header information and contains information that may be processed independently of that particular protocol. In some protocols, the packet includes 3] trailer information following the payload and indicating the end of the payload information. The header includes information such as the source of the packet, its destination, the length of the payload, and other properties used by the protocol. Often, the data in the payload for the particular protocol includes a header and payload for a different protocol associated with a different, typically higher layer of the OSI Reference Model. The header for a particular protocol typically indicates a type for the next protocol contained in its payload. The higher layer protocol is said to be encapsulated in the lower layer protocol. The headers included in a packet traversing multiple heterogeneous networks, such as the Internet, typically include a physical (layer 1) header, a data-link (layer 2) header, an internetwork (layer 3) header, and some combination of a transport (layer 4) header, a session (layer 5) header, a presentation (layer 6) header and an application (layer 7) header as defined by the Open Systems Interconnection (OSI) Reference Model. In networking parlance, a tunnel for data is simply a protocol that encapsulates that data.
Subscribers obtain access to a packet-switched network (PSN) of an Internet Service Provider (ISP) through a Network Access Server (NAS). A subscriber often uses a link-layer protocol to form a temporary tunnel between the subscriber's device and the NAS. The contents of the tunneling protocol payload are not involved in determining the path. The NAS determines whether an entity attempting access is in fact a subscriber authorized to access the network by exchanging packets with an Authentication, Authorization, and Accounting (AAA) server. Example well-known AAA servers include the Remote Authentication Dial In User Service (RADIUS) server, Terminal Access Controller Access Control System (TACACS), and the DIAMETER server. Once the entity is authenticated to be an authorized subscriber, then access is granted to the ISP network, the subscriber is assigned a network layer address, such as an Internet Protocol (IP) address, and internetwork-layer payloads are routed based on the internetwork and higher layer header information.
A modern ISP can offer different services to different subscribers, including services delivered in protocol layers 4 through 7. For example, the rate of data delivery of large Web pages to some subscribers can be increased by compressing the Web pages before delivery and un-compressing the Web pages at a process on the subscriber's own equipment.
As is well known in the art, Web pages are transmitted over a network using the Hypertext Transfer Protocol (HTTP), an application-layer (layer 7) protocol. Certain Web pages can be blocked using a Web filtering service. A service that provides some combination of compression, filtering and local caching of Web pages is called Web optimization. Some subscribers use mobile devices, such as cell phones, that have smaller memory and display capacities than other network devices. Web pages are communicated to such mobile devices using special protocols, such as the Wireless Application Protocol (WAP), an application-layer protocol. HTTP payloads are translated to WAP payloads before delivery to these subscribers.
To deliver these special services, service gateways are included in the ISP packet switched networks. Service gateways are processes that operate on intermediate network devices between the source and the destination of data packets. The service gateways inspect packet payloads for the purpose of delivering a network service. Example services include payload translation, just described, and other payload changes, as well as special billing, rating, filtering services and other services that do not modify the contents of a payload. For example, Web compression gateways compress HTTP payloads of data packets directed to a subscriber's device and un-compress HTTP payloads of data packets originating from a subscriber's device. A WAP 1.x gateway converts HTTP payloads of data packets directed to a subscriber's device to WAP 1.x payloads and converts WAP 1.x payloads of data packets originating from a subscriber's device to HTTP payloads. Some ISPs offer different services to different subscribers. These are subscriber-aware services.
To ensure that a service gateway for a service offered by the ISP is included in packet-switched paths from the subscriber to any destination on the network accessed by the ISP network, the service gateway is included as a proxy for an actual destination used to set up a subscriber's session on the network. For example, AAA server traffic for a NAS is directed to a service gateway, which serves as a proxy for the AAA server. A subscriber-aware service gateway monitors the AAA server traffic to determine the remote user's network identifier and whether the remote user has subscribed to the service provided by the gateway. For example, the service gateway monitors RADIUS to determine mapping of subscriber ID to currently assigned network ID; and, in addition, RADIUS is used to relay information on users' subscribed service profile to the network elements from a back-end database, typically behind the RADIUS server.
It is common for an ISP to include a cluster of service gateways so the service can be scaled to the number of subscribers. To distribute traffic among the service gateways in the cluster, a load balancer process is included in the path between the NAS (or other end node) and the cluster of service gateways.
It is also common for an ISP to include a firewall server in the path between the NAS and the service gateway (or its load balancer process). The firewall determines whether data packets are received from an unwanted source or directed to an unwanted destination on the access network and does not forward such data packets. The unwanted sources and destinations are identified by their IP addresses. The IP addresses of unwanted sources and destinations are determined by a policy indicated by policy data at the firewall. The policy may be based on static lists of IP addresses, or dynamically determined IP addresses based on one or more characteristics of a flow of data packets.
A flow of data packets is a series of one or more data packets within a reasonable period of time from the same source process to the same destination process on a network. The source and destination processes are typically identified based on some combination of their layer 3 IP addresses and layer 4 transport ports. Unwanted IP addresses may be defined in any manner, including static lists of one or more IP addresses, and methods for dynamically determining one or more unwanted IP addresses based on characteristics of one or more flows with that IP address. Intermediate network node operating systems, such as the Internetwork Operating System (IOS) of Cisco Systems, San Jose, Calif., define Access Control Lists (ACL) for identifying and filtering unwanted IP addresses.
While suitable for many purposes, there are some deficiencies with the prior approaches that use firewalls to exclude unwanted traffic. One deficiency is that firewalls are sometimes not deployed by customers because the firewalls add to the cost of a network and can diminish the perceived performance. Thus firewalls are sometimes not deployed, leaving the service gateways vulnerable to attacks in application layers 4 through layer 7. For example, in a scan attack, a malicious process running on an end node can initiate traffic to a large number of IP address (layer 3) and port (layer 4) destination combinations on the target network within a short period of time. Resources at the service gateway and beyond are consumed in processing individual transactions within each such flow to engage the correct server for the corresponding subscriber. If a sufficient number of such flows are initiated, the service gateway or its cluster can become so encumbered that legitimate flows are not processed in a timely manner or, in some cases, at all.
Another deficiency is that a firewall alerted to the IP address of such a malicious end node only protects against traffic from that same IP address. The actual subscriber using the device with the unwanted IP address is not identified. Thus if the same subscriber switches the attack to launch from another device with a different IP address, such as by moving with a cell phone to a different point in the access network or to a different access network, the firewall has to rediscover the new unwanted IP address. In the meantime the service gateway and access network have both wasted resources on the data flows from the same malicious subscriber at the new IP address.
Another deficiency is that a firewall alerted to the IP address of such a malicious end node only protects the target network downstream from the firewall. Thus malicious traffic from a user on the access network that is detected by a firewall on the target network protects the target network but not the access network. Considerable access network resources upstream of the firewall are consumed by the attack only to be dropped by the firewall in protecting the target network.
Another disadvantage is that firewalls do not detect fraud. Whereas an attack is typically aimed at openly degrading the performance of equipment of the ISP; fraud is typically aimed at undetectably running non-permitted protocols/application on the network without. The firewall is often unable to determine whether a reasonable amount of traffic represents an unauthorized use of privileged or restricted protocols or applications.
Based on the foregoing description, there is a clear need for protection from attacks and fraud (called hereinafter “intrusions”) that consume significant network resources for service gateway processes, which protection does not suffer all the deficiencies of prior art approaches. In particular, there is a need for techniques that detect intrusions in layer 4 through layer 7 protocols and either identifies users of malicious end nodes by name or detaches such malicious end nodes from the access network to free up resources in the access network, or both.